Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add filter on HTTP methods for consumer-restriction plugin #3691

Merged
merged 7 commits into from
Mar 8, 2021
Merged

feat: Add filter on HTTP methods for consumer-restriction plugin #3691

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d998793
Add http methods filter on consumer-restriction plugin, add test case…
jp-gouin Feb 26, 2021
e30f03f
update indentation and format test file
jp-gouin Feb 26, 2021
a251b28
change pairs to ipairs and correct typo
jp-gouin Feb 26, 2021
b96ac7e
add EOL in consumer-restriction
jp-gouin Feb 26, 2021
770e201
replace allowed_methods by allowed_by_methods, correct typo on is_met…
jp-gouin Mar 2, 2021
720926f
Add new scheme, now blacklist, whitelist and allowed_by_methods can b…
jp-gouin Mar 4, 2021
c62b512
change title of test 28 blacklist -> whitelist
jp-gouin Mar 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 77 additions & 46 deletions apisix/plugins/consumer-restriction.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,45 +16,52 @@
--
local ipairs = ipairs
local core = require("apisix.core")

local ngx = ngx
local schema = {
type = "object",
oneOf = {
{
title = "blacklist",
properties = {
type = {
type = "string",
enum = {"consumer_name", "service_id"},
default = "consumer_name"
},
blacklist = {
type = "array",
minItems = 1,
items = {type = "string"}
},
rejected_code = {type = "integer", minimum = 200, default = 403}
},
required = {"blacklist"},
properties = {
type = {
type = "string",
enum = {"consumer_name", "service_id"},
default = "consumer_name"
},
blacklist = {
type = "array",
minItems = 1,
items = {type = "string"}
},
whitelist = {
type = "array",
minItems = 1,
items = {type = "string"}
},
{
title = "whitelist",
properties = {
type = {
type = "string",
enum = {"consumer_name", "service_id"},
default = "consumer_name"
},
whitelist = {
type = "array",
minItems = 1,
items = {type = "string"}
},
rejected_code = {type = "integer", minimum = 200, default = 403}
},
required = {"whitelist"},
}
}
allowed_by_methods = {
type = "array",
items = {
type = "object",
properties = {
user = {
type = "string"
},
methods = {
type = "array",
minItems = 1,
items = {
type = "string",
enum = {"GET", "POST", "PUT", "DELETE", "PATCH", "HEAD",
"OPTIONS", "CONNECT", "TRACE"},
}
}
}
}
},
rejected_code = {type = "integer", minimum = 200, default = 403}
},
anyOf = {
{required = {"blacklist"}},
{required = {"whitelist"}},
{required = {"allowed_by_methods"}}
},
}

local plugin_name = "consumer-restriction"
Expand Down Expand Up @@ -84,42 +91,66 @@ local function is_include(value, tab)
return false
end

local function is_method_allowed(allowed_methods, method, user)
for _, value in ipairs(allowed_methods) do
if value.user == user then
for _, allowed_method in ipairs(value.methods) do
if allowed_method == method then
return true
end
end
return false
end
end
return true
end

local function reject(conf)
return conf.rejected_code, { message = "The " .. conf.type .. " is forbidden." }
end

function _M.check_schema(conf)
local ok, err = core.schema.check(schema, conf)

if not ok then
if not ok then
return false, err
end

return true
end
return true
end


function _M.access(conf, ctx)
local value = fetch_val_funcs[conf.type](ctx)
local method = ngx.req.get_method()

if not value then
return 401, { message = "Missing authentication or identity verification."}
end
core.log.info("value: ", value)

local block = false
local whitelisted = false

if conf.blacklist and #conf.blacklist > 0 then
if is_include(value, conf.blacklist) then
block = true
return reject(conf)
end
end

if conf.whitelist and #conf.whitelist > 0 then
if not is_include(value, conf.whitelist) then
whitelisted = is_include(value, conf.whitelist)
if not whitelisted then
block = true
end
end

if conf.allowed_by_methods and #conf.allowed_by_methods > 0 and not whitelisted then
if not is_method_allowed(conf.allowed_by_methods, method, value) then
block = true
end
end

if block then
return conf.rejected_code, { message = "The " .. conf.type .. " is forbidden." }
return reject(conf)
end
end


return _M
73 changes: 71 additions & 2 deletions docs/en/latest/plugins/consumer-restriction.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,10 @@ The `consumer-restriction` makes corresponding access restrictions based on diff
|Name | Type | Requirement | Default | Valid | Description |
|-----------|-------------|--------------|---------------|---------------------------------|-------------------------------------------------------------------------------------------------------------------- |
| type | string | optional | consumer_name | ["consumer_name", "service_id"] | According to different objects, corresponding restrictions, support `consumer_name`, `service_id`. |
| whitelist | array[string] | required | | | Choose one of the two with `blacklist`, only whitelist or blacklist can be enabled separately, and the two cannot be used together. |
| blacklist | array[string] | required | | | Choose one of the two with `whitelist`, only whitelist or blacklist can be enabled separately, and the two cannot be used together. |
| whitelist | array[string] | required | | | Grant full access to all users specified in the provided list , **has the priority over `allowed_by_methods`** |
| blacklist | array[string] | required | | | Reject connection to all users specified in the provided list , **has the priority over `whitelist`** |
| rejected_code | integer | optional | 403 | [200,...] | The HTTP status code returned when the request is rejected. |
| allowed_by_methods | array[object] | optional | | | Set a list of allowed HTTP methods for the selected user , HTTP methods can be `["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE"]` |

For the `type` field is an enumerated type, it can be `consumer_name` or `service_id`. They stand for the following meanings:

Expand Down Expand Up @@ -116,6 +117,74 @@ HTTP/1.1 403 Forbidden
{"message":"The consumer_name is forbidden."}
```

### How to restrict `allowed_by_methods`

This example restrict the user `jack1` to only `POST` on the resource

```shell
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/index.html",
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
},
"plugins": {
"basic-auth": {},
"consumer-restriction": {
"allowed_by_methods":[{
"user": "jack1",
"methods": ["POST"]
}]
}
}
}'
```

**Test Plugin**

Requests from jack1:

```shell
curl -u jack2019:123456 http://127.0.0.1:9080/index.html
HTTP/1.1 403 Forbidden
...
{"message":"The consumer_name is forbidden."}
```

Add the capability for `jack1` to get the resource

```shell
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/index.html",
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
},
"plugins": {
"basic-auth": {},
"consumer-restriction": {
"allowed_by_methods":[{
"user": "jack1",
"methods": ["POST","GET"]
}]
}
}
}'
```

Requests from jack1:

```shell
curl -u jack2019:123456 http://127.0.0.1:9080/index.html
HTTP/1.1 200 OK
```

## How to restrict `service_id`

The `service_id` method needs to be used together with the authorization plug-in. Here, the key-auth authorization plug-in is taken as an example.
Expand Down
Loading